Apologies for dredging this up.... Finally got time to reply.
I believe critics were not understanding the logical conclusion
to the idea of a 'passive', or more descriptively 'invisible'
firewall.
I've been thinking of hacking a prototype together, but unless
someone comes up with funding to support my family....
Anyway, here's my take on it:
Firewalls should be invisible AND they should perform all of the
functions they perform now. How? Well, obviously I don't have this
completely worked out, but I think of the perfect solution as a
promiscuous (in the ethernet sense) man-in-the-middle transparent
router/filter/firewall. (The simple case could have standard gateway
style routing I think for incoming.)
The idea is simply to make the inside machines think they
are talking directly to external machines and vice versa.
Instead, the firewall/router intercepts all intervening traffic
and processes it at the desired level (packet, application,
proxy).
How does this differ from a traditional firewall? The inside/ outside
machines use actual ip addresses (although they may be 'symbolic' of
the actual internal machine address for opaqueness). The internal
machines could even use the 'reserved for internal use' ip ranges.
The externally needed ip range would only need to cover the number of
visible servers and simultaneous IP's needed. Since each IP can
handle only one set of standard server (ie. ftpd, telnetd) ports, but
multple temp. outgoing ports (telnet, ftp, ...), this would depend on
the circumstances. It should be much lower than the number of hidden
machines, obviously.
The firewall/router must look like multiple IP addresses arbitrarily
on both internal and external interfaces and potentially differentiate
between the same address on each side.
In other words, the standard method of ftping or telneting out through
a proxy would be 'transparent' because the firewall would have all the
connection info from the connect attempt on the inside. It
could send the packet with an IP address of the original system, or
from a pool of addresses signifying random opaque systems.
Servers for incoming requests could be done the same way.
The problem with implementation of course is that ethernet interfaces
usually have 2 programmable auto-interrupt, auto-receive-data IP
addresses and then promiscuous mode. Only very fast machines can
reliably handle the dataflow of promiscuous mode. It's not uncommon
now. HP PA-Risc systems for instance.
The remaining problem is how to more transparently handle incoming
or other connections that need to be highly authenticated.
These could still be done inline, or possibly with various policies
allowing 'ryder' connections to authenticate other connections.
In other words, a telnet session could be used to authenticate
a user and return a 'key' in the form of a randomly activated IP
address and/or DNS name (random numbered name). This new IP
would then allow connections from the same IP address for a limited
time. Of course Kerberos (public key version?) et al is
the logical conclusion of this area.
The internal systems would only be visible to the extent that
the firewall/router allowed, not much differently than now.
It does allow for more visibility if desired since particular
aspects of internal systems could be made visible, and at
randomly chosen ip addresses.
I would start implementation on a fairly fast system and see
what it would require: a 90Mhz Pentium with EISA ethernet
possibly and Linux or FreeBSD to have source code.
I actually felt right at the beginning of using and learning about
firewalls that this is what they should be. Now that I install them,
I'm even more frustrated.
Problems? Solutions? Go away until I have it working?
> ** Low Priority **
> gaus @
znanost .
hr wrote:
>
> >My contribution to philosophical thread.
>
> >It seems to me that having firewalls as they are now means introducing
...
> >What's wrong with this idea?
>
> I wouldn't say there was anything "wrong" with the idea. It has a lot of
> appeal, since the passive black box can actually sit astride the
> communications link and be completely non-addressable and thus
> non-reachable from the network.
>
> However, there is one potential disadvantage in that the invisible firewall
> cannot mask the protected network. All hosts are completely visible to
> the outside.
>
> Like everything to do with firewalls and security, there is always a trade-off.
>
> Cheers,
> John Kidston CITEC, Australia kidstoj @
citec .
qld .
gov .
au
I think there's plenty of room for improvement.
sdw
--
Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager
LIG dev./sales Internet: sdw @
lig .
net In Bay Area Aug94-Feb95!!!
OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430
Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work
Newbie Notice:
I speak for LIGCo., CCI, myself, and no one else, regardless of
where it is convenient to post from or thru.
|
|
